Restricting networking APIs



Networking APIs can be restricted in two ways. To prevent malicious activity, access to commonly reserved ports is blocked; you can’t override these blocks in your code. To control a SWF file’s access to network functionality with regard to other ports, you can use the allowNetworking setting.

Blocked ports

Flash Player and Adobe AIR have restrictions on HTTP access to certain ports, as do browsers. HTTP requests are not permitted to certain standard ports that are conventionally used for non-HTTP types of servers.

Any API that accesses a network URL is subject to these port blocking restrictions. The only exception is APIs that call sockets directly, such as Socket.connect() and XMLSocket.connect(), or calls to Security.loadPolicyFile() in which a socket policy file is being loaded. Socket connections are permitted or denied through the use of socket policy files on the target server.

The following list shows the ActionScript 3.0 APIs to which port blocking applies:

FileReference.download(),FileReference.upload(), Loader.load(), Loader.loadBytes(), navigateToURL(), NetConnection.call(), NetConnection.connect(), NetStream.play(), Security.loadPolicyFile(), sendToURL(), Sound.load(), URLLoader.load(), URLStream.load()

Port blocking also applies to Shared Library importing, the use of the <img> tag in text fields, and the loading of SWF files in an HTML page using the <object> and <embed> tags.

The following lists show which ports are blocked:

HTTP: 20  (ftp data), 21 (ftp control)

HTTP and FTP: 1 (tcpmux), 7 (echo), 9 (discard), 11 (systat), 13 (daytime), 15 (netstat), 17 (qotd), 19 (chargen), 22 (ssh), 23 (telnet), 25 (smtp), 37 (time), 42 (name), 43 (nicname), 53 (domain), 77 (priv-rjs), 79 (finger), 87 (ttylink), 95 (supdup), 101 (hostriame), 102 (iso-tsap), 103 (gppitnp), 104 (acr-nema), 109 (pop2), 110 (pop3), 111 (sunrpc), 113 (auth), 115 (sftp), 117 (uucp-path), 119 (nntp), 123 (ntp), 135 (loc-srv / epmap), 139 (netbios), 143 (imap2), 179 (bgp), 389 (ldap), 465 (smtp+ssl), 512 (print / exec), 513 (login), 514 (shell), 515 (printer), 526 (tempo), 530 (courier), 531 (chat), 532 (netnews), 540 (uucp), 556 (remotefs), 563 (nntp+ssl), 587 (smtp), 601 (syslog), 636 (ldap+ssl), 993 (ldap+ssl), 995 (pop3+ssl), 2049 (nfs), 4045 (lockd), 6000 (x11)

Using the allowNetworking parameter

You can control a SWF file’s access to network functionality by setting the allowNetworking parameter in the <object> and <embed> tags in the HTML page that contains the SWF content.

Possible values of allowNetworking are:

  • "all" (the default)—All networking APIs are permitted in the SWF file.

  • "internal"—The SWF file may not call browser navigation or browser interaction APIs, listed later in this section, but it may call any other networking APIs.

  • "none"—The SWF file may not call browser navigation or browser interaction APIs, listed later in this section, and it cannot use any SWF-to-SWF communication APIs, also listed later.

The allowNetworking parameter is designed to be used primarily when the SWF file and the enclosing HTML page are from different domains. Using the value of "internal" or "none" is not recommended when the SWF file being loaded is from the same domain as its enclosing HTML pages, because you can’t ensure that a SWF file is always loaded with the HTML page you intend. Untrusted parties could load a SWF file from your domain with no enclosing HTML, in which case the allowNetworking restriction will not work as you intended.

Calling a prevented API throws a SecurityError exception.

Add the allowNetworking parameter and set its value in the <object> and <embed> tags in the HTML page that contains a reference to the SWF file, as shown in the following example:

<object classic="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" 
    Code base="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,124,0"  
    width="600" height="400" ID="test" align="middle"> 
<param name="allowNetworking" value="none" /> 
<param name="movie" value="test.swf" /> 
<param name="bgcolor" value="#333333" />  
<embed src="test.swf" allowNetworking="none" bgcolor="#333333"  
    width="600" height="400" 
    name="test" align="middle" type="application/x-shockwave-flash"  
    pluginspage="http://www.macromedia.com/go/getflashplayer" /> 
</object>

An HTML page may also use a script to generate SWF-embedding tags. You need to alter the script so that it inserts the proper allowNetworking settings. HTML pages generated by Flash and Adobe Flex Builder use the AC_FL_RunContent() function to embed references to SWF files. Add the allowNetworking parameter settings to the script, as in the following:

AC_FL_RunContent( ... "allowNetworking", "none", ...)

The following APIs are prevented when allowNetworking is set to "internal":

navigateToURL(), fscommand(), ExternalInterface.call()

In addition to the APIs on the previous list, the following APIs are also prevented when allowNetworking is set to "none":

sendToURL(), FileReference.download(), FileReference.upload(), Loader.load(), LocalConnection.connect(), LocalConnection.send(), NetConnection.connect(), NetStream.play(), Security.loadPolicyFile(), SharedObject.getLocal(), SharedObject.getRemote(), Socket.connect(), Sound.load(), URLLoader.load(), URLStream.load(), XMLSocket.connect()

Even if the selected allowNetworking setting permits a SWF file to use a networking API, there may be other restrictions based on security sandbox limitations (see Security sandboxes).

When allowNetworking is set to "none", you cannot reference external media in an <img> tag in the htmlText property of a TextField object (a SecurityError exception is thrown).

When allowNetworking is set to "none", a symbol from an imported shared library added in the Flash authoring tool (not ActionScript) is blocked at run time.